BYLD Wealth — Security Implementation Plan
Vivek Kumar, Head of Engineering
Security Roadmap
March 2026 · Confidential
9
Sprints
18-week security roadmap
7
Compliance Frameworks
SEBI, DPDP, RBI, PCI DSS+
₹8-13L
Security Budget
VAPT, Legal, Insurance
200+
Adversarial Tests
8 attack categories
02 Sprint-by-Sprint Security Timeline
Deliverable S1S2S3S4 S5S6S7S8S9
SAST/SCA PipelineStatic analysis + dependency scanning
SAST/SCA
PII Vault + EncryptionTokenization, AES-256, KMS
PII VAULT
MIA Safety PipelineIntent classifier + guardrails
MIA SAFETY
Prompt Injection DefenseInput sanitization + jailbreak tests
PROMPT DEF
Adversarial Testing + VAPT200+ tests, external pen test
VAPT
Beta Feedback + IterationSecurity hardening from user testing
BETA
Compliance HardeningAudit trail + certification prep
AUDIT
Dashboard + Production SecMonitoring, alerting, WAF
PROD
Launch Security ReviewFinal sign-off + go/no-go
LAUNCH
03 MIA AI Safety Pipeline
1
Intent Classifier
Claude Haiku classifies user intent — financial query, general chat, or adversarial probe
<100ms latency
2
Input Sanitizer
Strips prompt injections, PII leaks, and encoded attack payloads
Regex + ML filter
3
LLM Generation
Sonnet with system guardrails — financial disclaimers, no specific advice
Guardrailed output
4
Output Classifier
Flags responses crossing educational → advisory boundary before delivery
Edu vs Advice gate
04 Adversarial Test Suite Breakdown
Prompt Injection
40
Financial Hallucination
30
Regulatory Boundary
30
PII Extraction
25
Jailbreak
25
Action Safety
25
Multi-turn
15
Language Mix
15
Total Adversarial Tests: 205
05 Regulatory Compliance Matrix
Regulation Key Sections Sprint Gate Status
SEBI RIA Regulations Advisory boundary, disclaimers, suitability S3 – S4 Active
DPDP Act 2023 11 sections — consent, purpose limitation, data retention, breach notification, DPO appointment S1 – S7 Active
RBI Account Aggregator Consent artefact, data flow security, FIP/FIU compliance S2 – S4 Active
UIDAI (Aadhaar) Masking, virtual ID, consent framework S1 – S2 Pending
PCI DSS v4.0 Network security, access control, encryption, monitoring S5 – S7 Planned
IT Act 2000 Sec 43A (data protection), Sec 72A (disclosure), CERT-In reporting S7 – S8 Planned
06 Security Budget Allocation
Line Item Description Budget (₹) Timing
External VAPT Third-party penetration testing (web, API, mobile) ₹3–5L Sprint 5
Legal Review Compliance counsel for SEBI, DPDP, RBI frameworks ₹2–3L Sprint 7
Cyber Insurance Coverage for data breach, business interruption ₹3–5L Sprint 8
Security Tools Semgrep, Trivy, OWASP ZAP (free/OSS tier) ₹0 Sprint 1
AWS KMS Key Management Service for encryption at rest ₹24K/yr Sprint 1
Total Estimated Budget ₹8–13L
07 PII Protection Architecture
🔐
Tokenization Vault
PII stored as irreversible tokens. Original data in isolated vault with strict IAM policies.
AES-256 + HMAC
🔑
Field Encryption
Sensitive fields encrypted at application layer before database storage. Per-field key rotation.
AWS KMS envelope
🧹
Conversation Scrubbing
Real-time PII detection and redaction in MIA chat logs. No PII reaches analytics pipeline.
NER + regex patterns
🪪
Aadhaar Masking
UIDAI-compliant masking — only last 4 digits displayed. Virtual ID support for verification.
UIDAI guidelines